Cybersecurity Practices at MediumSized Health Care Organizations Medium-sized health care organizations perform critical functions for the health care and public health (HPH) sector. These organizations include critical access hospitals in rural areas, practice management organizations that support physician practices, revenue cycle or billing organizations, mid-sized device manufacturers, and group practices. Medium-sized health care organizations generally employ hundreds of personnel, maintain between hundreds and a few thousand information technology (IT) assets, and may be primary partners with and liaisons between small and large health care organizations. It is typical for a medium-sized organization to have several critical systems that are interconnected to enable work activities in support of the organization’s mission/ These organizations tend to have a diverse inventory of assets that support multiple revenue streams. They also tend to have narrow profit margins, limited resources, and limited flexibility to implement robust cybersecurity practices. For example, it is rare for a medium-sized organization to have its own dedicated 24x7x365 security operations center (SOC) Medium-sized organizations tend to focus on preventing cybersecurity events, implementing rigid security policies, with few exceptions permitted. This rigidity is often due to insufficient resources to support more open and flexible cybersecurity models, such as those larger organizations can often afford. Medium-sized organizations usually struggle to obtain cybersecurity funding that is distinct from their standard IT budgets. The top security professional in an organization of this size might often feel overwhelmed by compliance and cybersecurity duties, wear multiple hats, and experience constraints around execution plans. Medium-sized organizations operate in complex legal and regulatory environments that include but are not limited to the following:
The Office of the National Coordinator for Health Information Technology (ONC) regulations for interoperability of Certified Electronic Health Information Technology
The Medicare Access and hildren’s Health Insurance Program Reauthorization Act of 2015 (MACRA)/Meaningful Use
Multiple enforcement obligations under the Food and Drug Administration (FDA)
The Joint Commission accreditation processes
The Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology Economic and Clinical Health Act (HITECH) requirements
The Payment Card Industry Data Security Standard (PCI-DSS)
Substance Abuse and Mental Health Services Administration (SAMHSA) requirements
The Gramm-Leach-Bliley Act for financial processing
The Stark Law as it relates to providing services to affiliated organizations
The Family Educational Rights and Privacy Act (FERPA) for those institutions participating within Higher Education 4
